Merge pull request #20853 from edx/mushtaq/fix-csrf-referer-not-trusted

Add CSRF_TRUSTED_ORIGINS settings

Merge pull request #20853 from edx/mushtaq/fix-csrf-referer-not-trusted
Add CSRF_TRUSTED_ORIGINS settings
07addf5f · Mushtaq Ali · GitHub · 257406b2 · d9a67496 · 07addf5f
Unverified Commit 07addf5f authored 5 years ago by Mushtaq Ali Committed by GitHub 5 years ago
--- a/lms/envs/common.py
+++ b/lms/envs/common.py
@@ -2314,6 +2314,7 @@ CSRF_COOKIE_AGE = 60 * 60 * 24 * 7 * 52
 # It is highly recommended that you override this in any environment accessed by
 # end users
 CSRF_COOKIE_SECURE = False
+CSRF_TRUSTED_ORIGINS = []

 ######################### Django Rest Framework ########################


--- a/lms/envs/production.py
+++ b/lms/envs/production.py
@@ -428,6 +428,9 @@ NOTIFICATION_EMAIL_EDX_LOGO = ENV_TOKENS.get('NOTIFICATION_EMAIL_EDX_LOGO', NOTI
 # by end users.
 CSRF_COOKIE_SECURE = ENV_TOKENS.get('CSRF_COOKIE_SECURE', False)

+# Determines which origins are trusted for unsafe requests eg. POST requests.
+CSRF_TRUSTED_ORIGINS = ENV_TOKENS.get('CSRF_TRUSTED_ORIGINS', [])
+
 # Whitelist of domains to which the login/logout pages will redirect.
 LOGIN_REDIRECT_WHITELIST = ENV_TOKENS.get('LOGIN_REDIRECT_WHITELIST', LOGIN_REDIRECT_WHITELIST)